Electrum binaries flagged by some antivirus (false positive) #3198
Comments
|
Heur means a heuristic algorithm. So Symantec is not sure. |
|
Windows Defender detects Trojan:Win32/Bitrep.A . This seems to happen only with the standalone wallet. |
|
Submit Electrum to Microsoft, select "this file has been incorrectly detected". |
|
After downloading electrum-3.0.3-portable.exe and also the portable version, my antivirus detects it as a trojan. 6 engines on virustotal also detect that... |
|
Me too I got a warning on Defender and it auto delete the file as it's flagged as severe. |
|
The latest version of Electrum seems to have no false positives: https://www.virustotal.com/#/url/74a504769e700af48b0885e48705917e36fb3c3ab9700e3ad0b17d042b38a307/detection |
|
@bauerj the URL doesn't but the file does. I think all these false positives started to appear after the 3.0 release, when we switched to python3 and pyinstaller3, right? |
SomberNight
changed the title
|
I was thinking we could try to encrypt the binaries, to throw off antivirus heuristics. We would need to do this in a way that doesn't negate all the work done toward deterministic builds... Pyinstaller seems to have some support for this https://pythonhosted.org/PyInstaller/usage.html#encrypting-python-bytecode But looks like there are some problems with using this pyinstaller-provided-encryption: |
|
I'm not sure if that wouldn't make the binary look even more suspicious for virus scanners. Maybe we can reach out to antivirus providers so they can mark this as a false-positive? |
|
For the Windows 3.10 release files: VirusTotal is reporting the following: Also, sigcheck -a reports the files are dated 2017-07-31, and are not (code) signed: The only way I could trust these installers was to check their gpg signatures, which I doubt most new users will go to the trouble to do: |
|
Future Electrum binaries (hopefully starting with 3.1.1) will be code-signed with a (CA-) trusted certificate. Hopefully this will improve the situation somehow. |
|
The results are better, but still quite untrustworthy: |
............... if your measure of trustworthiness of a binary is based on how many anti-viruses it passes, you’re gonna have a bad time. |
|
Standalone version 3.2.2 it's being flagged too: https://www.virustotal.com/#/file/d56c94c2846605721a4ab9b578c422cfc9c88c962fd75524c73a75e1bf3a58a9/ |
|
Thanks. I wonder why these products alert their users for something that they clearly recognize as "not-a-virus:NetTool.Win32.TorJok.amg". |
|
I just verified that Thomas signed the exe with the hash d56c94c2846605721a4ab9b578c422cfc9c88c962fd75524c73a75e1bf3a58a9 False positive, or Thomas put a virus in it. But since Thomas is putting his neck on the line by being a public figure with his real name, I doubt it has a virus in it. Remember, I could be lying to you. Verify yourself. kthxbye |
@SomberNight This is not a good approach IMO, as it will make it more difficult to reverse-engineer the binaries. Reverse-engineering the binaries would be useful for things like auditing whether a compiler bug (or backdoor) has produced a security issue in the binary (which is something that reproducible builds won't necessarily protect you from). |
|
Lots of users keep asking about Electrum exes being flagged by different anti-viruses, so I would like to clarify the "official" stance of the project. from #4986 (comment):
Anti-virus software have (and always had) false positives, and some of them tag Electrum as malware. This is out of our control. This does not mean that Electrum is or contains malware. The Windows binaries are signed using the native Windows signing scheme by an entity named If you trust the developers of the project, you can verify the GPG signature, and ignore any anti-virus warnings. If you don't trust the developers with not backdooring the binaries, you can (1) build binaries yourself; or (2) you can run from source. Some of the binaries are built reproducibly, so you can also check that those match. If you have the technical knowledge, the time, and willingness, you are more than welcome to look into our build process, the tools being used, our dependencies, or just the source code in general, and suggest changes. |
|
@SomberNight I will add a note to the website, summarizing your comment |
|
done. closing this |
|
We now build a custom PyInstaller bootloader; see 1d0f679 |
The problem is described in Subject.
It detects electrum as Heur.AdvML.B virus.
Here is a screenshot
I download electrum from the next link : https://download.electrum.org/3.0/electrum-3.0.0.exe
Is it problem in antivirus or is there any risk to download from your site malware file. I mean, is there some possible risk that DNS was changed and so on. Like some one tries to compromise your website or downloadable file?
At my 2nd PC with Windows 10 all is fine, but there another antivirus exists.
Thank you.
The text was updated successfully, but these errors were encountered: